On 13-12-19 15:00, Rob Crittenden wrote:
> Kees Bakker wrote:
>> On 06-11-19 17:16, Rob Crittenden wrote:
>>> Kees Bakker via FreeIPA-users wrote:
>>>> Thanks Rob
>>>>
>>>> Here are my findings, mainly as an FYI.
>>>>
>>>> On the CA master it reports the following (which I have to investigate)
>>>> [
>>>>    {
>>>>      "source": "ipahealthcheck.ipa.certs",
>>>>      "kw": {
>>>>        "msg": "Unknown certmonger id 20190412141828",
>>>>        "key": "20190412141828"
>>>>      },
>>>>      "uuid": "f3d6ccb9-fb82-49ac-aa02-f485d08826c3",
>>>>      "duration": "0.980984",
>>>>      "when": "20191106095349Z",
>>>>      "check": "IPACertTracking",
>>>>      "result": "WARNING"
>>>>    }
>>>> ]
>>> To see what the request is run:
>>>
>>> # getcert list -i 20190412141828
>>>
>>> It may be perfectly fine, it is acceptable to track other certs on the
>>> master, it is just unexpected so healthcheck is warning about it.
>>>
>>
>> The warning is for a cert that I created for a FreeRADIUS server (which
>> I never actually managed to get working).
>>
>> The warning is a bit annoying because the cert is alright, I think. It is
>> listed with "status: MONITORING".
>> So, I think that the cert is not unknown to certmonger, despite what the
>> error suggests.
>>
>> I am considering to create another cert for some other service, in the same
>> manner as I did for freeRADIUS. That new cert would then also be flagged with
>> a warning.
>>
>
> This particular check isn't verifying whether the cert is ok. It is
> checking that the tracking for the standard IPA certs is done correctly.
>
> If there are additional certs it has no way to know to validate them so
> warns instead. We discourage running additional software on an IPA
> master. Using a master to manage a cert is probably fine but is a grey
> area. I chose to warn as a heads-up, to keep a paranoid stance of
> warning on anything unexpected.

Ah, I see. So, I better not do that then.

>
> I have an idea to create an ignore list but it probably won't see the
> light of day for a while.
>
> This is good feedback, thanks.

Likewise.

Attachment: pEpkey.asc
Description: application/pgp-keys

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to